Closed
Bug 1385428
Opened 7 years ago
Closed 7 years ago
Assertion failure: tt == TOK_FUNCTION, at js/src/frontend/Parser.cpp:2584 with OOM and asm.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: decoder, Assigned: anba)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
4.27 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 5845151f1a2c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager): loadFile(` try { Array.prototype.splice.call({ get length() { "use asm" function f() {} return f; } }); } catch (e) { assertEq(e, s2, "wrong error thrown: " + e); } `); function loadFile(lfVarx) { try { oomTest(new Function(lfVarx)); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000004b7200 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction (this=this@entry=0x7fffffff9d30, fun=..., fun@entry=..., enclosingScope=..., enclosingScope@entry=..., parameterListEnd=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, inheritedDirectives=..., newDirectives=0x7fffffff9410) at js/src/frontend/Parser.cpp:2584 #0 0x00000000004b7200 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction (this=this@entry=0x7fffffff9d30, fun=..., fun@entry=..., enclosingScope=..., enclosingScope@entry=..., parameterListEnd=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, inheritedDirectives=..., newDirectives=0x7fffffff9410) at js/src/frontend/Parser.cpp:2584 #1 0x0000000000ab9762 in BytecodeCompiler::compileStandaloneFunction (this=this@entry=0x7fffffff9780, fun=fun@entry=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, parameterListEnd=...) at js/src/frontend/BytecodeCompiler.cpp:478 #2 0x0000000000ab9a5b in js::frontend::CompileStandaloneFunction (cx=cx@entry=0x7ffff6924000, fun=fun@entry=..., options=..., srcBuf=..., parameterListEnd=..., enclosingScope=..., enclosingScope@entry=...) at js/src/frontend/BytecodeCompiler.cpp:731 #3 0x0000000000d13e75 in HandleInstantiationFailure (metadata=..., args=..., cx=0x7ffff6924000) at js/src/wasm/AsmJS.cpp:8149 #4 InstantiateAsmJS (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/AsmJS.cpp:8181 #5 0x000000000054757b in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xd11750 <InstantiateAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #6 0x000000000053c60b in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:469 #7 0x000000000053c9d8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:514 #8 0x000000000053cb0d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533 #9 0x000000000053ccac in js::CallGetter (cx=cx@entry=0x7ffff6924000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:648 #10 0x0000000000ba7581 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.cpp:2064 #11 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff6924000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2112 #12 0x0000000000ba8327 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6924000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2343 #13 0x0000000000ba8b30 in js::NativeGetProperty (cx=cx@entry=0x7ffff6924000, obj=..., obj@entry=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2377 #14 0x00000000004f7cd5 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.h:1536 #15 js::GetProperty (vp=..., name=0x7ffff46261a0, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:836 #16 js::GetProperty (vp=..., name=0x7ffff46261a0, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:852 #17 GetLengthProperty (cx=cx@entry=0x7ffff6924000, obj=..., obj@entry=..., lengthp=lengthp@entry=0x7fffffffac70) at js/src/jsarray.cpp:206 #18 0x0000000000503800 in array_splice_impl (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>, returnValueIsUsed=<optimized out>) at js/src/jsarray.cpp:2804 #19 0x000000000054757b in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x504810 <js::array_splice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #20 0x000000000053c60b in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:469 #21 0x000000000053c9d8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:514 #22 0x000000000053cb0d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:533 #23 0x00000000009c4deb in js::fun_call (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1247 #24 0x00003eb585b24843 in ?? () #25 0x00007fffffffb0d8 in ?? () #26 0x00007fffffffb028 in ?? () #27 0x00007ffff47006c0 in ?? () #28 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffff9d30 140737488330032 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff93d0 140737488327632 rsp 0x7fffffff9140 140737488326976 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffffff9d48 140737488330056 r13 0x7fffffff918c 140737488327052 r14 0x0 0 r15 0x7fffffffa520 140737488332064 rip 0x4b7200 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1184> => 0x4b7200 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1184>: movl $0x0,0x0 0x4b720b <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1195>: ud2
Assignee | ||
Comment 1•7 years ago
|
||
We tried to re-parse the getter method as a standalone function (|tt| was TOK_GET here [1]). But getter (and setter) methods shouldn't be accepted as asm.js functions in the first place, similar to how normal methods are already rejected in EstablishPreconditions(). [1] http://searchfox.org/mozilla-central/rev/09c065976fd4f18d4ad764d7cb4bbc684bf56714/js/src/frontend/Parser.cpp#2584
Comment 2•7 years ago
|
||
Comment on attachment 8891619 [details] [diff] [review] bug1385428.patch Review of attachment 8891619 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8891619 -
Flags: review?(luke) → review+
Assignee | ||
Comment 3•7 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=8997b7d045fca1be174dfedb8d14aa563e09a8bf
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/bf040a16d3ed Disable asm.js compilation in accessor methods. r=luke
Keywords: checkin-needed
Comment 5•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/bf040a16d3ed
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
status-firefox54:
--- → wontfix
status-firefox55:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•